Password field with auto-complete

Low Web Application Scanning Plugin ID 98081


Password field with auto-complete


In typical form-based web applications, it is common practice for developers to
allow `autocomplete` within the HTML form to improve the usability of the page.
With `autocomplete` enabled (default), the browser is allowed to cache previously
entered form values.

For legitimate purposes, this allows the user to quickly re-enter the same data
when completing the form multiple times.

When `autocomplete` is enabled on either/both the username and password fields,
this could allow a cyber-criminal with access to the victim's computer the ability
to have the victim's credentials automatically entered as the cyber-criminal
visits the affected page.

Scanner has discovered that the affected page contains a form containing a
password field that has not disabled `autocomplete`.


The `autocomplete` value can be configured in two different locations.
The first and most secure location is to disable the `autocomplete` attribute on the `<form>` HTML tag. This will disable `autocomplete` for all inputs within that form. An example of disabling `autocomplete` within the form tag is `<form autocomplete=off>`.
The second slightly less desirable option is to disable the `autocomplete` attribute for a specific `<input>` HTML tag. While this may be the less desired solution from a security perspective, it may be preferred method for usability reasons, depending on size of the form. An example of disabling the `autocomplete` attribute within a password input tag is `<input type=password autocomplete=off>`.

Plugin Details

Severity: Low

ID: 98081

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Low

CVSS v2.0

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Reference Information